Pre requiste MDEV-9245: add host to validate password interface

Hostname added to the interface.

Cracklib plugin fixed according to the new interface.

include/mysql/plugin_password_validation.h

@@ -30,7 +30,7 @@
 extern "C" {
 #endif
 
-#define MariaDB_PASSWORD_VALIDATION_INTERFACE_VERSION 0x0100
+#define MariaDB_PASSWORD_VALIDATION_INTERFACE_VERSION 0x0101
 
 /**
   Password validation plugin descriptor
@@ -43,7 +43,8 @@ struct st_mariadb_password_validation
     and return 0 if the password has passed the validation.
   */
   int (*validate_password)(const MYSQL_CONST_LEX_STRING *username,
-                           const MYSQL_CONST_LEX_STRING *password);
+                           const MYSQL_CONST_LEX_STRING *password,
+                           const MYSQL_CONST_LEX_STRING *hostname);
 };
 
 #ifdef __cplusplus

include/mysql/plugin_password_validation.h.pp

@@ -649,6 +649,7 @@ struct st_mariadb_password_validation
 {
   int interface_version;
   int (*validate_password)(const MYSQL_CONST_LEX_STRING *username,
-                           const MYSQL_CONST_LEX_STRING *password);
+                           const MYSQL_CONST_LEX_STRING *password,
+                           const MYSQL_CONST_LEX_STRING *hostname);
 };
 }

mysql-test/suite/plugins/r/cracklib_password_check.result

@@ -4,7 +4,7 @@ PLUGIN_NAME	cracklib_password_check
 PLUGIN_VERSION	1.0
 PLUGIN_STATUS	ACTIVE
 PLUGIN_TYPE	PASSWORD VALIDATION
-PLUGIN_TYPE_VERSION	1.0
+PLUGIN_TYPE_VERSION	1.1
 PLUGIN_LIBRARY	cracklib_password_check.so
 PLUGIN_LIBRARY_VERSION	1.15
 PLUGIN_AUTHOR	Sergei Golubchik
@@ -37,6 +37,18 @@ show warnings;
 Level	Code	Message
 Warning	1819	cracklib: it is based on a dictionary word
 Error	1819	Your password does not satisfy the current policy requirements
+grant select on *.* to foocar@localhost identified by 'localhost';
+ERROR HY000: Your password does not satisfy the current policy requirements
+show warnings;
+Level	Code	Message
+Warning	1819	cracklib: it is based upon your password entry
+Error	1819	Your password does not satisfy the current policy requirements
+grant select on *.* to foocar@localhost identified by 'foocar@localhost';
+ERROR HY000: Your password does not satisfy the current policy requirements
+show warnings;
+Level	Code	Message
+Warning	1819	cracklib: it is derived from your password entry
+Error	1819	Your password does not satisfy the current policy requirements
 grant select on *.* to foobar identified by 'q$%^&*rty';
 drop user foobar;
 #

mysql-test/suite/plugins/r/simple_password_check.result

@@ -4,7 +4,7 @@ PLUGIN_NAME	simple_password_check
 PLUGIN_VERSION	1.0
 PLUGIN_STATUS	ACTIVE
 PLUGIN_TYPE	PASSWORD VALIDATION
-PLUGIN_TYPE_VERSION	1.0
+PLUGIN_TYPE_VERSION	1.1
 PLUGIN_LIBRARY	simple_password_check.so
 PLUGIN_LIBRARY_VERSION	1.15
 PLUGIN_AUTHOR	Sergei Golubchik

mysql-test/suite/plugins/t/cracklib_password_check.test

@@ -27,6 +27,14 @@ show warnings;
 grant select on *.* to foobar identified by 'qwerty';
 show warnings;
 
+--error ER_NOT_VALID_PASSWORD
+grant select on *.* to foocar@localhost identified by 'localhost';
+show warnings;
+
+--error ER_NOT_VALID_PASSWORD
+grant select on *.* to foocar@localhost identified by 'foocar@localhost';
+show warnings;
+
 grant select on *.* to foobar identified by 'q$%^&*rty';
 drop user foobar;
 

plugin/cracklib_password_check/cracklib_password_check.c

@@ -22,18 +22,21 @@
 static char *dictionary;
 
 static int crackme(const MYSQL_CONST_LEX_STRING *username,
-                   const MYSQL_CONST_LEX_STRING *password)
+                   const MYSQL_CONST_LEX_STRING *password,
+                   const MYSQL_CONST_LEX_STRING *hostname)
 {
   char *user= alloca(username->length + 1);
-  char *host;
+  char *full_name= alloca(hostname->length + username->length + 2);
   const char *res;
 
   memcpy(user, username->str, username->length);
   user[username->length]= 0;
-  if ((host= strchr(user, '@')))
-    *host++= 0;
+  memcpy(full_name, username->str, username->length);
+  full_name[username->length]= '@';
+  memcpy(full_name + username->length + 1, hostname->str, hostname->length);
+  full_name[hostname->length+ username->length + 1]= 0;
 
-  if ((res= FascistCheckUser(password->str, dictionary, user, host)))
+  if ((res= FascistCheckUser(password->str, dictionary, user, full_name)))
   {
     my_printf_error(ER_NOT_VALID_PASSWORD, "cracklib: %s",
                     ME_WARNING, res);

plugin/simple_password_check/simple_password_check.c

@@ -23,7 +23,9 @@
 static unsigned min_length, min_digits, min_letters, min_others;
 
 static int validate(const MYSQL_CONST_LEX_STRING *username,
-                    const MYSQL_CONST_LEX_STRING *password)
+                    const MYSQL_CONST_LEX_STRING *password,
+                    const MYSQL_CONST_LEX_STRING *hostname
+                      __attribute__((unused)))
 {
   unsigned digits=0 , uppers=0 , lowers=0, others=0, length= (unsigned)password->length;
   const char *ptr= password->str, *end= ptr + length;

sql/sql_acl.cc

@@ -2168,24 +2168,26 @@ static bool has_validation_plugins()
                         MariaDB_PASSWORD_VALIDATION_PLUGIN, NULL);
 }
 
-struct validation_data { const LEX_CSTRING *user, *password; };
+struct validation_data { const LEX_CSTRING *user, *password, *host; };
 
 static my_bool do_validate(THD *, plugin_ref plugin, void *arg)
 {
   struct validation_data *data= (struct validation_data *)arg;
   struct st_mariadb_password_validation *handler=
     (st_mariadb_password_validation *)plugin_decl(plugin)->info;
-  return handler->validate_password(data->user, data->password);
+  return handler->validate_password(data->user, data->password, data->host);
 }
 
 
 static bool validate_password(THD *thd, const LEX_CSTRING &user,
+                              const LEX_CSTRING &host,
                               const LEX_CSTRING &pwtext, bool has_hash)
 {
   if (pwtext.length || !has_hash)
   {
     struct validation_data data= { &user,
-                                   pwtext.str ? &pwtext : &empty_clex_str };
+                                   pwtext.str ? &pwtext : &empty_clex_str,
+                                   &host };
     if (plugin_foreach(NULL, do_validate,
                        MariaDB_PASSWORD_VALIDATION_PLUGIN, &data))
     {
@@ -2239,6 +2241,7 @@ static int set_user_salt(ACL_USER::AUTH *auth, plugin_ref plugin)
   not loaded, if the auth_string is invalid, if the password is not applicable
 */
 static int set_user_auth(THD *thd, const LEX_CSTRING &user,
+                         const LEX_CSTRING &host,
                          ACL_USER::AUTH *auth, const LEX_CSTRING &pwtext)
 {
   const char *plugin_name= auth->plugin.str;
@@ -2264,7 +2267,7 @@ static int set_user_auth(THD *thd, const LEX_CSTRING &user,
   }
 
   if (info->hash_password &&
-      validate_password(thd, user, pwtext, auth->auth_string.length))
+      validate_password(thd, user, host, pwtext, auth->auth_string.length))
   {
     res= ER_NOT_VALID_PASSWORD;
     goto end;
@@ -3373,7 +3376,10 @@ static int acl_user_update(THD *thd, ACL_USER *acl_user, uint nauth,
       acl_user->auth[i].auth_string= safe_lexcstrdup_root(&acl_memroot, auth->auth_str);
       if (fix_user_plugin_ptr(acl_user->auth + i))
         acl_user->auth[i].plugin= safe_lexcstrdup_root(&acl_memroot, auth->plugin);
-      if (set_user_auth(thd, acl_user->user, acl_user->auth + i, auth->pwtext))
+      LEX_CSTRING host= { acl_user->host.hostname ,
+                          acl_user->hostname_length};
+      if (set_user_auth(thd, acl_user->user, host,
+                        acl_user->auth + i, auth->pwtext))
         return 1;
     }
   }
@@ -3976,7 +3982,8 @@ bool change_password(THD *thd, LEX_USER *user)
   {
     auth= acl_user->auth[i];
     auth.auth_string= safe_lexcstrdup_root(&acl_memroot, user->auth->auth_str);
-    int r= set_user_auth(thd, user->user, &auth, user->auth->pwtext);
+    int r= set_user_auth(thd, user->user, user->host,
+                         &auth, user->auth->pwtext);
     if (r == ER_SET_PASSWORD_AUTH_PLUGIN)
       password_plugin= auth.plugin.str;
     else if (r)